Target Corp. was hit by an extensive theft of its customers' credit-card and debit-card data over the busy Black Friday weekend, a brazen breach of the major retailer's information security.
The company early Thursday confirmed a data breach may have affected about 40 million credit- and debit-card accounts between Nov. 27 and Dec. 15. Target said it alerted authorities and financial institutions immediately after it found out about the unauthorized access. It added that it is partnering with a forensics firm to conduct an investigation into the incident.
"We take this matter very seriously and are working with law enforcement to bring those responsible to justice," said Target CEO Gregg Steinhafel in a statement.Michael Reynolds/European Pressphoto Agency The Secret Service is probing a breach of Target's credit-card reading devices.
The Wall Street Journal reported the breach Wednesday, citing people familiar with the matter.
The theft was national in scope and happened in stores, not online, and may have involved tampering with the machines customers use to swipe their cards when making purchases, people familiar with the matter said.
The Secret Service is investigating the breach, a spokesman said, but wouldn't discuss details of the incident while the investigation is ongoing. Secret Service often investigates significant hacks of credit-card data, as part of its mission is to safeguard the country's financial infrastructure and payment systems.
The discount chain has 1,797 stores in the U.S. and another 124 in Canada.
The apparent breach occurred during the period when Americans kick off their holiday shopping and store traffic is around its highest of the year. Retailers try to lure shoppers to stores on Black Friday with "door buster" deals and overnight hours that often draw big crowds. The breach may have gone into the Monday after Thanksgiving, one of the people said.
The thieves gained access to data that is stored on the magnetic stripe on the back of the credit and debit cards, according to the people familiar with the breach. The stripe contains data that is valuable for making counterfeit cards, such as account numbers and expiration dates, but it wasn't immediately known which data was vulnerable.
Hackers typically aim to sell such information in bulk on the black market to people who use it to produce fake credit or debit cards. Crime rings can use the fake cards to buy gift cards from major retailers and convert them eventually into cash, according to investigators and former U.S. officials.
One of the biggest incidents to hit the industry took place in 2007, when thieves stole card numbers and personal data on up to 90 million cards belonging to people who had shopped at stores owned by TJX Cos., parent of T.J. Maxx, HomeGoods and other discount chains.
In July, federal prosecutors unsealed criminal charges in an ongoing investigation of a group of people believed to have stolen more than 160 million credit and debit card numbers from companies including J.C. Penney Co., 7-Eleven, Nasdaq OMX Group, JetBlue Inc. and others over several years.
Dow Jones Inc., a unit of News Corp. and publisher of The Wall Street Journal, was among the companies affected.
Penney, 7-Eleven, and JetBlue didn't respond to requests for comment. Dow Jones and Nasdaq declined to comment.
Target reported $1.6 billion in profit on $51 billion in sales in the nine months ended Nov. 2.
One of the most recent big breaches occurred last year at Global Payments Inc., an Atlanta-based company that processes card transactions on behalf of merchants and banks. In that case, the company disclosed that thieves were believed to have stolen data from up to 1.5 million card accounts.Ben Fox Rubin contributed to this article
Write to Robin Sidel at firstname.lastname@example.org, Danny Yadron at email@example.com and Sara Germano at firstname.lastname@example.org
More From The Wall Street Journal
- Retirees Face High Stock Prices and Low Bond Yields
- Three Big Money Mistakes You Could Be Making Right Now
- Crime & Justice
- The Wall Street Journal